[SR-Users] Kamailio & Asterisk SIP Registration Forwarding - Asterisk replies 401 Unauthorized

Alberto Sagredo alberto.sagredo at avanzada7.com
Mon Jul 20 08:14:11 CEST 2015


OK. Great

Regards

2015-07-17 20:38 GMT+02:00 Ben Fitzgerald <ben at letscorp.us>:

> I think I have fixed the authentication issue yet the SIP dialog has
> completely changed. Now the dialog involves Asterisk sending SIP NOTIFY to
> Kamailio, which is then forwarded to the client. Kamailio.cfg has no routes
> to handle NOTIFY and there are no SUBSCRIBE messages preceding the NOTIFY.
> Only REGISTER and 200 OK. Is this expected behavior? The sipregs database
> is now correctly updated when a peer registers so that's good.
>
> Benjamin Fitzgerald
> LETS Corporation
> (925) 235-1154
> ben at letscorp.us
>
>
>
>
> *******Confidential Notice:
> This message is intended only for the use of the individual or entity to
> which it is addressed and may contain information that is privileged,
> confidential and exempt from disclosure under applicable law. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any dissemination, distribution or copying of this communication is
> strictly prohibited. If you have received this message in error, please
> delete this message from all computers and contact Orion Systems/LETS Corp
> immediately by return e-mail and/or telephone at (925) 566-5600
>
> On Thu, Jul 16, 2015 at 2:59 PM, Ben Fitzgerald <ben at letscorp.us> wrote:
>
>> Thank you for the qualify solution, that worked.
>>
>> However, on the KB by asipto, they only create a `sipreg` and `sipusers`
>> table and then in extconfig.conf for asterisk, sipusers and sippeers are
>> both using the `sipusers` table in MySQL.
>>
>> I included a sip trace in the original email but I will include a more
>> detailed sip debug here. It looks like Asterisk and Kamailio can exchange
>> messages but for some reason, the SIP dialog stops after Asterisk sends
>> back a SIP 401 Unauthorized to Kamailio. Any ideas?
>>
>> *1. Kamailio using sipgrep*
>>
>> T 2015/07/16 14:50:52.393582 UserAgentIP:64521 -> KamailioIP:5060
>>  [AP]
>> REGISTER sip:opvpnx.ulets.us SIP/2.0.
>> Via: SIP/2.0/TCP 192.168.0.179:64521
>> ;alias;branch=z9hG4bK.j~V~btADL;rport.
>> From: <sip:102 at opvpnx.ulets.us>;tag=QZ7de-7u5.
>> To: sip:102 at opvpnx.ulets.us.
>> CSeq: 29 REGISTER.
>> Call-ID: puXkrkIICT.
>> Max-Forwards: 70.
>> Supported: outbound.
>> Accept: application/sdp, text/plain, application/vnd.gsma.rcs-ft-http+xml.
>> Contact: <sip:102@
>>  UserAgentIP:64521;transport=tcp>;+sip.instance="<urn:uuid:f8f0aa7c-5b20-4ff2-ac5a-d7b4004afb50>".
>> Expires: 3600.
>> User-Agent: Alpha TalkIphone/2.2.5-80-g783bf67 (belle-sip/1.4.0).
>> Content-Length: 0.
>> Authorization:  Digest realm="opvpnx.ulets.us",
>> nonce="VagoaFWoJzylK0MxoOAIPTRhtZBlmVmr", username="102",  uri="sip:
>> opvpnx.ulets.us", response="24b8f292fca38e72fbcf36417dcecd24".
>> .
>>
>>
>> T 2015/07/16 14:50:52.440789 KamailioIP:5060 -> UserAgentIP:64521
>>  [AP]
>> SIP/2.0 200 OK.
>> Via: SIP/2.0/TCP 192.168.0.179:64521
>> ;alias;branch=z9hG4bK.j~V~btADL;rport=64521;received= UserAgentIP.
>> From: <sip:102 at opvpnx.ulets.us>;tag=QZ7de-7u5.
>> To: sip:102 at opvpnx.ulets.us;tag=723cfa83f1495d1e63c1f1bb20bde818.a56d.
>> CSeq: 29 REGISTER.
>> Call-ID: puXkrkIICT.
>> Contact: <sip:102@
>>  UserAgentIP:64521;transport=tcp>;expires=3600;received="sip: UserAgentIP:64521;transport=tcp";+sip.instance="<urn:uuid:f8f0aa7c-5b20-4ff2-ac5a-d7b4004afb50>".
>> LETSSBC.
>> Content-Length: 0.
>> .
>>
>> *#*
>> *# These next two messages when Kamailio forwards REGISTER to Asterisk*
>> *#*
>>
>> T 2015/07/16 14:50:52.466461 KamailioIP:43488 -> AsteriskIP:5060
>>  [AP]
>> REGISTER sip: AsteriskIP:5060;transport=tcp SIP/2.0.
>> Via:
>> SIP/2.0/TCP KamailioIP;branch=z9hG4bK328c.29246e24000000000000000000000000.0.
>> To: <sip:102@ AsteriskIP >.
>> From: <sip:102@ AsteriskIP >;tag=32fda68bf54efeeb04e3edc67b53c63d-3497.
>> CSeq: 10 REGISTER.
>> Call-ID: 2ee5ec48557bba33-31464@ KamailioIP.
>> Max-Forwards: 70.
>> Content-Length: 0.
>> User-Agent: kamailio (4.3.0 (x86_64/linux)).
>> Contact: <sip:102@ KamailioIP:5060>.
>> Expires: 3600.
>> .
>>
>>
>> T 2015/07/16 14:50:52.494578 AsteriskIP:5060 -> KamailioIP:43488
>>  [AP]
>> SIP/2.0 401 Unauthorized.
>> Via:
>> SIP/2.0/TCP KamailioIP;branch=z9hG4bK328c.29246e24000000000000000000000000.0;received= KamailioIP.
>> From: <sip:102@ AsteriskIP >;tag=32fda68bf54efeeb04e3edc67b53c63d-3497.
>> To: <sip:102@ AsteriskIP >;tag=as0eb2442e.
>> Call-ID: 2ee5ec48557bba33-31464@ KamailioIP.
>> CSeq: 10 REGISTER.
>> Server: Asterisk PBX 11.6-cert2.
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
>> PUBLISH.
>> Supported: replaces, timer.
>> WWW-Authenticate: Digest algorithm=MD5, realm="asterisk",
>> nonce="5b30f8aa".
>> Content-Length: 0.
>>
>> *2. Asterisk using sip set debug on*
>>
>> t91*CLI>
>>
>> <--- SIP read from TCP: KamailioIP:43488 --->
>> REGISTER sip: AsteriskIP:5060;transport=tcp SIP/2.0
>> Via:
>> SIP/2.0/TCP KamailioIP;branch=z9hG4bK328c.29246e24000000000000000000000000.0
>> To: <sip:102@ AsteriskIP >
>> From: <sip:102@ AsteriskIP >;tag=32fda68bf54efeeb04e3edc67b53c63d-3497
>> CSeq: 10 REGISTER
>> Call-ID: 2ee5ec48557bba33-31464@ KamailioIP
>> Max-Forwards: 70
>> Content-Length: 0
>> User-Agent: kamailio (4.3.0 (x86_64/linux))
>> Contact: <sip:102@ KamailioIP:5060>
>> Expires: 3600
>>
>> <------------->
>> --- (11 headers 0 lines) ---
>> Sending to KamailioIP:5060 (no NAT)
>> Sending to KamailioIP:5060 (no NAT)
>>
>> <--- Transmitting (no NAT) to KamailioIP:5060 --->
>> SIP/2.0 401 Unauthorized
>> Via:
>> SIP/2.0/TCP KamailioIP;branch=z9hG4bK328c.29246e24000000000000000000000000.0;received=
>> KamailioIP
>> From: <sip:102@ AsteriskIP >;tag=32fda68bf54efeeb04e3edc67b53c63d-3497
>> To: <sip:102@ AsteriskIP >;tag=as0eb2442e
>> Call-ID: 2ee5ec48557bba33-31464@ KamailioIP
>> CSeq: 10 REGISTER
>> Server: Asterisk PBX 11.6-cert2
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
>> PUBLISH
>> Supported: replaces, timer
>> WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="5b30f8aa"
>> Content-Length: 0
>>
>>
>> <------------>
>> Scheduling destruction of SIP dialog '2ee5ec48557bba33-31464@ KamailioIP'
>> in 32000 ms (Method: REGISTER)
>> Scheduling destruction of SIP dialog '2ee5ec48557bba33-31464@ KamailioIP'
>> in 32000 ms (Method: REGISTER)
>>
>> Benjamin Fitzgerald
>> LETS Corporation
>> (925) 235-1154
>> ben at letscorp.us
>>
>>
>>
>>
>> *******Confidential Notice:
>> This message is intended only for the use of the individual or entity to
>> which it is addressed and may contain information that is privileged,
>> confidential and exempt from disclosure under applicable law. If the reader
>> of this message is not the intended recipient, you are hereby notified that
>> any dissemination, distribution or copying of this communication is
>> strictly prohibited. If you have received this message in error, please
>> delete this message from all computers and contact Orion Systems/LETS Corp
>> immediately by return e-mail and/or telephone at (925) 566-5600
>>
>> On Thu, Jul 16, 2015 at 11:48 AM, Alberto Sagredo <
>> alberto.sagredo at avanzada7.com> wrote:
>>
>>> Maybe you got to get some traces with sip set debug on on asterisk or
>>> ngrep in kamailio to check whereis the problem.
>>>
>>> I think you are not authenticating correctly
>>>
>>> Check if you insert on sipusers and sipppers table what is commented on
>>> KB by asipto.
>>>
>>> Maybe your Kamailio is not responding to OPTIONS (qualify=yes)
>>>
>>> add at the beginning of your kamailio.cfg file
>>> request_route {
>>>
>>>     if(is_method("OPTIONS") ) {
>>>
>>>                 sl_send_reply("200","Keepalive");
>>>
>>>                 exit;
>>>
>>>         }
>>>
>>> .....
>>>
>>>
>>> To solve qualify problem
>>>
>>>
>>> BR
>>>
>>> 2015-07-16 19:31 GMT+02:00 Ben Fitzgerald <ben at letscorp.us>:
>>>
>>>> Thanks for your response.
>>>>
>>>> I did read the section about the secret in the kb url. I followed the
>>>> example and inserted the test users on tFe url (101, 102, 103) and they
>>>> have secret set to NULL. I have tried both secret=NULL and secret="" and
>>>> Asterisk still asks for authentication. Also when I do "sip show peers" I
>>>> get:
>>>>
>>>> Name/username             Host                                    Dyn
>>>> Forcerport ACL Port     Status      Description
>>>>  Realtime
>>>> kamailio-inbound          kamailioIP                               a
>>>>           5060     Unmonitored
>>>>
>>>> I added qualify=yes and now:
>>>>
>>>> Name/username             Host                                    Dyn
>>>> Forcerport ACL Port     Status      Description
>>>>  Realtime
>>>> kamailio-inbound         kamailioIP                               a
>>>>         5060     UNREACHABLE
>>>>
>>>> Could this be the issue? I have verified that Kamailio receives the
>>>> responses by doing ngrep and I can see the SIP 401 from Asterisk.
>>>>
>>>> Maybe I am missing something else? I'm not sure I understand how
>>>> Asterisk's peer selection affects this. When I received the registration
>>>> request from Kamailio, the From: address and domain are the same as the To:
>>>> address and domain, which are the values I have set in the sipusers table.
>>>>
>>>> Another thing, even though the client handset says registered, the
>>>> table 'sipregs' is not updated with fullcontact, regseconds, or any data at
>>>> all. Yet I can still make a call. So maybe Asterisk is not authenticating
>>>> INVITES (whether or not it's registered) and that's why I can call.
>>>>
>>>> Any further help or things I should try?
>>>>
>>>> Benjamin Fitzgerald
>>>> LETS Corporation
>>>> (925) 235-1154
>>>> ben at letscorp.us
>>>>
>>>>
>>>>
>>>>
>>>> *******Confidential Notice:
>>>> This message is intended only for the use of the individual or entity
>>>> to which it is addressed and may contain information that is privileged,
>>>> confidential and exempt from disclosure under applicable law. If the reader
>>>> of this message is not the intended recipient, you are hereby notified that
>>>> any dissemination, distribution or copying of this communication is
>>>> strictly prohibited. If you have received this message in error, please
>>>> delete this message from all computers and contact Orion Systems/LETS Corp
>>>> immediately by return e-mail and/or telephone at (925) 566-5600
>>>>
>>>> On Thu, Jul 16, 2015 at 3:40 AM, Alberto Sagredo <
>>>> alberto.sagredo at avanzada7.com> wrote:
>>>>
>>>>> You could remove secret= on extensiones to check if its related to
>>>>> authentication or not
>>>>>
>>>>> You must not request authentication to kamailio in order to work
>>>>> properly in front of Asterisk
>>>>>
>>>>> As Daniel mention check if Kamailio peer is created and extensiones
>>>>> have no secret.. you would need to add alternate sippasswd table for
>>>>> kamailio authentication
>>>>>
>>>>> BR
>>>>>
>>>>> 2015-07-16 1:42 GMT+02:00 Ben Fitzgerald <ben at letscorp.us>:
>>>>>
>>>>>> Hi, I've been following this integration tutorial
>>>>>> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
>>>>>> and have a successful registration and I can even make calls through my
>>>>>> asterisk box.
>>>>>>
>>>>>> However what is unusual to me is that every time a phone registers
>>>>>> with Kamailio, that is forwarded to Asterisk (as expected), yet Asterisk
>>>>>> replies with 401 Unauthorized. Oddly enough the phone registers and can
>>>>>> still make calls. What worries me is that as we scale to 100's of cps, this
>>>>>> seemingly erroneous message may slow down Asterisk because it's trying to
>>>>>> handle authentication for users which have already been authenticated by
>>>>>> Kamailio. If this behavior is expected, then that would be good to know as
>>>>>> well.
>>>>>>
>>>>>> This is the sip debug from ASTERISK (I have replaced IP's with the
>>>>>> names of the servers):
>>>>>>
>>>>>>
>>>>>> <--- SIP read from TCP:kamailio:41205 --->
>>>>>> REGISTER sip:asteriskIP:5060;transport=tcp SIP/2.0
>>>>>> Via: SIP/2.0/TCP
>>>>>> kamailio;branch=z9hG4bK998f.2846e405000000000000000000000000.0
>>>>>> To: <sip:40081 at asteriskIP>
>>>>>> From: <sip:40081 at asteriskIP
>>>>>> >;tag=32fda68bf54efeeb04e3edc67b53c63d-cfb0
>>>>>> CSeq: 10 REGISTER
>>>>>> Call-ID: 0005ce130bcee5c4-26538 at kamailio
>>>>>> Max-Forwards: 70
>>>>>> Content-Length: 0
>>>>>> User-Agent: kamailio (4.3.0 (x86_64/linux))
>>>>>> Contact: <sip:40081 at kamailio:5060>
>>>>>> Expires: 3600
>>>>>>
>>>>>> <------------->
>>>>>> --- (11 headers 0 lines) ---
>>>>>> Sending to kamailio:5060 (no NAT)
>>>>>> Sending to kamailio:5060 (no NAT)
>>>>>>
>>>>>> <--- Transmitting (no NAT) to kamailio:5060 --->
>>>>>> SIP/2.0 401 Unauthorized
>>>>>> Via:
>>>>>> SIP/2.0/TCP kamailio;branch=z9hG4bK998f.2846e405000000000000000000000000.0;received=
>>>>>> kamailio
>>>>>> From: <sip:40081 at asteriskIP
>>>>>> >;tag=32fda68bf54efeeb04e3edc67b53c63d-cfb0
>>>>>> To: <sip:40081 at asteriskIP>;tag=as404bac9a
>>>>>> Call-ID: 0005ce130bcee5c4-26538@ kamailio
>>>>>> CSeq: 10 REGISTER
>>>>>> Server: Asterisk PBX 11.6-cert2
>>>>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
>>>>>> INFO, PUBLISH
>>>>>> Supported: replaces, timer
>>>>>> WWW-Authenticate: Digest algorithm=MD5, realm="asterisk",
>>>>>> nonce="262b338e"
>>>>>> Content-Length: 0
>>>>>>
>>>>>>
>>>>>> <------------>
>>>>>> Scheduling destruction of SIP dialog '0005ce130bcee5c4-26538@ kamailio'
>>>>>> in 32000 ms (Method: REGISTER)
>>>>>> Scheduling destruction of SIP dialog '0005ce130bcee5c4-26538@ kamailio'
>>>>>> in 32000 ms (Method: REGISTER)
>>>>>> Really destroying SIP dialog '0005ce130bcee5c1-26536@ kamailio'
>>>>>> Method: REGISTER
>>>>>>
>>>>>> =========================
>>>>>>
>>>>>> sip.conf for kamailio trunk:
>>>>>>
>>>>>> [kamailio-inbound]
>>>>>> type=friend
>>>>>> dtmfmode=auto
>>>>>> host=kamailioIP
>>>>>> allow=all
>>>>>> context=sipout
>>>>>> insecure=port,invite
>>>>>> canreinvite=no
>>>>>>
>>>>>> ========================
>>>>>>
>>>>>> Asterisk version: 11.6-cert2
>>>>>> Kamailio version: 4.3
>>>>>>
>>>>>> Benjamin Fitzgerald
>>>>>> LETS Corporation
>>>>>> (925) 235-1154
>>>>>> ben at letscorp.us
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *******Confidential Notice:
>>>>>> This message is intended only for the use of the individual or entity
>>>>>> to which it is addressed and may contain information that is privileged,
>>>>>> confidential and exempt from disclosure under applicable law. If the reader
>>>>>> of this message is not the intended recipient, you are hereby notified that
>>>>>> any dissemination, distribution or copying of this communication is
>>>>>> strictly prohibited. If you have received this message in error, please
>>>>>> delete this message from all computers and contact Orion Systems/LETS Corp
>>>>>> immediately by return e-mail and/or telephone at (925) 566-5600
>>>>>>
>>>>>> _______________________________________________
>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>>> list
>>>>>> sr-users at lists.sip-router.org
>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>>> sr-users at lists.sip-router.org
>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>> sr-users at lists.sip-router.org
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>>
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users at lists.sip-router.org
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150720/88cbb2cc/attachment.html>


More information about the sr-users mailing list